Re: rssh security announcement

All,
Today I released rssh-2.3.4, which fixes an old issue, and a new
issue:
On Tue, May 08, 2012 at 01:14:26PM -0500, Derek Martin wrote:
> rssh is a shell for restricting SSH access to a machine to only scp,
> sftp, or a small set of similar applications.
>
> http://www.pizzashack.org/rssh/
>
> Henrik Erkkonen has discovered that, through clever manipulation of
> environment variables on the ssh command line, it is possible to
> circumvent rssh. As far as I can tell, there is no way to effect a
> root compromise, except of course if the root account is the one
> you're attempting to protect with rssh...
This was CVE-2012-3478, for which I had originally only posted a patch
to the rssh mailing list. It is now fixed in the new release.
The new issue is CVE-2012-2252, which involves improper filtering of
the rsync command line, when rsync support is configured. This may be
somewhat of a non-issue for recent stock rssh installations, as
stock rssh does not support newer rsync binaries which use -e to
specify the rsync protocol; thus if you're using rssh with a recent
istallation, rsync does not work for you anyway, and you therefore
most likely have it disabled by config. Nevertheless, it is a
legitimate security concern if you have rsync enabled in the
configuration. This also is fixed in 2.3.4.
This release also includes some mostly trivial updates for the build
and a bit of minor code clean-up.
For people using rssh packages from Debian, Red Hat, or one of their
derivatives, a third vulnerability was recently discovered, assigned
CVE-2012-2251. This issue exists only in a third-party patch to make
rssh work with newer rsync binaries. Stock rssh *is not vulnerable*
to this issue. However if you are relying on your vendor to package
rssh, this likely affects you.
Lastly, since the vendors are providing their own packages, and I'm no
longer set up to build RPMs, I am no longer providing rssh in RPM
form. Please be sure to update rssh to v2.3.4, either by downloading
and compiling from the website, or by updating your vendor's packages.
http://www.pizzashack.org/rssh/downloads.shtml
Thank you.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Thread view

[Resent to correct recpients; moderators, please approve THIS
message.]
rssh is a shell for restricting SSH access to a machine to only scp,
sftp, or a small set of similar applications.
http://www.pizzashack.org/rssh/
Henrik Erkkonen has discovered that, through clever manipulation of
environment variables on the ssh command line, it is possible to
circumvent rssh. As far as I can tell, there is no way to effect a
root compromise, except of course if the root account is the one
you're attempting to protect with rssh...
This project is old, and I have no interest in continuing to maintain
it. I looked for easy solutions to the problem, but in discussing
them with Henrik, none which we found satisfactorily address the
problem. Fixing this properly will require more work than I want to
put into it.
Note in particular that ensuring that the AcceptEnv sshd configuration
option need not be turned on for this exploit to work.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

On Tue, May 8, 2012 at 2:14 PM, Derek Martin <code@...> wrote:
> [Resent to correct recpients; moderators, please approve THIS
> message.]
>
> rssh is a shell for restricting SSH access to a machine to only scp,
> sftp, or a small set of similar applications.
>
> http://www.pizzashack.org/rssh/
>
> Henrik Erkkonen has discovered that, through clever manipulation of
> environment variables on the ssh command line, it is possible to
> circumvent rssh. As far as I can tell, there is no way to effect a
> root compromise, except of course if the root account is the one
> you're attempting to protect with rssh...
>
That..... is a big, big problem. I've occasionally used it for root access
for backup operations and remote init script management or various "trap"
events from bug reporting.
> This project is old, and I have no interest in continuing to maintain
> it. I looked for easy solutions to the problem, but in discussing
> them with Henrik, none which we found satisfactorily address the
> problem. Fixing this properly will require more work than I want to
> put into it.
>
> Note in particular that ensuring that the AcceptEnv sshd configuration
> option need not be turned on for this exploit to work.
>
Is it still a problem with OpenSSH version 6, which was recently published?

On Tue, May 08, 2012 at 08:50:11PM -0400, Nico Kadel-Garcia wrote:
> Is it still a problem with OpenSSH version 6, which was
> recently published?
Yes. The flaw is in how rssh parses command lines, irrespective of
what SSH implementation is used. I've been a bit vague about the
details for the moment; I'm hoping that the announcement will generate
some interest in taking over the maintenance of the project. I'd like
to have some sense of what will happen next before the full details
are disclosed. If someone wants to step forward, it would be good to
give them a chance to fix it before that happens.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Derek Martin <code@...> writes:
> On Tue, May 08, 2012 at 08:50:11PM -0400, Nico Kadel-Garcia wrote:
>> Is it still a problem with OpenSSH version 6, which was
>> recently published?
> Yes. The flaw is in how rssh parses command lines, irrespective of what
> SSH implementation is used. I've been a bit vague about the details for
> the moment; I'm hoping that the announcement will generate some interest
> in taking over the maintenance of the project. I'd like to have some
> sense of what will happen next before the full details are disclosed.
> If someone wants to step forward, it would be good to give them a chance
> to fix it before that happens.
I can't realistically offer to take over upstream development, as I have
too much else on my plate, but I plan on continuing to maintain the Debian
package for rssh unless the security situation is untenable, and I'm happy
to help at least with merging the current Debian patches and trying to
review other changes. Particularly if the source ended up on Github or
some other public Git hosting facility that's a little less annoying than
Sourceforge, but I can deal with Sourceforge if that's what people really
want to use.
So if someone else is willing to step up, I can at least offer to have you
not be alone. :)
--
Russ Allbery (rra@...) <http://www.eyrie.org/~eagle/&gt;

On Tue, May 15, 2012 at 10:46:04AM -0500, Derek Martin wrote:
> On Tue, May 08, 2012 at 12:24:52PM -0500, Derek Martin wrote:
> > Henrik Erkkonen has discovered that, through clever manipulation of
> > environment variables on the ssh command line, it is possible to
> > circumvent rssh. As far as I can tell, there is no way to effect a
> > root compromise, except of course if the root account is the one
> > you're attempting to protect with rssh...
> >
>
> Actually, I have a patch for this. I'll be publishing it later this
> week, when I can find some time to do it.
I haven't had the time to work up a proper release for this issue, but
I do have a patch, which is attatched. Hopefully I'll get some time
to do a release this weekend.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

On Tue, May 15, 2012 at 10:46:04AM -0500, Derek Martin wrote:
> On Tue, May 08, 2012 at 12:24:52PM -0500, Derek Martin wrote:
> > Henrik Erkkonen has discovered that, through clever manipulation of
> > environment variables on the ssh command line, it is possible to
> > circumvent rssh. As far as I can tell, there is no way to effect a
> > root compromise, except of course if the root account is the one
> > you're attempting to protect with rssh...
> >
> > This project is old, and I have no interest in continuing to maintain
> > it.
>
> Actually, I have a patch for this. I'll be publishing it later this
> week, when I can find some time to do it.
I haven't had the time to work up a proper release for this issue, but
I do have a patch, which is attatched. Hopefully I'll get some time
to do a release this weekend.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

All,
Today I released rssh-2.3.4, which fixes an old issue, and a new
issue:
On Tue, May 08, 2012 at 01:14:26PM -0500, Derek Martin wrote:
> rssh is a shell for restricting SSH access to a machine to only scp,
> sftp, or a small set of similar applications.
>
> http://www.pizzashack.org/rssh/
>
> Henrik Erkkonen has discovered that, through clever manipulation of
> environment variables on the ssh command line, it is possible to
> circumvent rssh. As far as I can tell, there is no way to effect a
> root compromise, except of course if the root account is the one
> you're attempting to protect with rssh...
This was CVE-2012-3478, for which I had originally only posted a patch
to the rssh mailing list. It is now fixed in the new release.
The new issue is CVE-2012-2252, which involves improper filtering of
the rsync command line, when rsync support is configured. This may be
somewhat of a non-issue for recent stock rssh installations, as
stock rssh does not support newer rsync binaries which use -e to
specify the rsync protocol; thus if you're using rssh with a recent
istallation, rsync does not work for you anyway, and you therefore
most likely have it disabled by config. Nevertheless, it is a
legitimate security concern if you have rsync enabled in the
configuration. This also is fixed in 2.3.4.
This release also includes some mostly trivial updates for the build
and a bit of minor code clean-up.
For people using rssh packages from Debian, Red Hat, or one of their
derivatives, a third vulnerability was recently discovered, assigned
CVE-2012-2251. This issue exists only in a third-party patch to make
rssh work with newer rsync binaries. Stock rssh *is not vulnerable*
to this issue. However if you are relying on your vendor to package
rssh, this likely affects you.
Lastly, since the vendors are providing their own packages, and I'm no
longer set up to build RPMs, I am no longer providing rssh in RPM
form. Please be sure to update rssh to v2.3.4, either by downloading
and compiling from the website, or by updating your vendor's packages.
http://www.pizzashack.org/rssh/downloads.shtml
Thank you.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

Derek Martin <code@...> writes:
> This was CVE-2012-3478, for which I had originally only posted a patch
> to the rssh mailing list. It is now fixed in the new release.
> The new issue is CVE-2012-2252, which involves improper filtering of the
> rsync command line, when rsync support is configured. This may be
> somewhat of a non-issue for recent stock rssh installations, as stock
> rssh does not support newer rsync binaries which use -e to specify the
> rsync protocol; thus if you're using rssh with a recent istallation,
> rsync does not work for you anyway, and you therefore most likely have
> it disabled by config. Nevertheless, it is a legitimate security
> concern if you have rsync enabled in the configuration. This also is
> fixed in 2.3.4.
> This release also includes some mostly trivial updates for the build
> and a bit of minor code clean-up.
> For people using rssh packages from Debian, Red Hat, or one of their
> derivatives, a third vulnerability was recently discovered, assigned
> CVE-2012-2251. This issue exists only in a third-party patch to make
> rssh work with newer rsync binaries. Stock rssh *is not vulnerable* to
> this issue. However if you are relying on your vendor to package rssh,
> this likely affects you.
Attached is the updated version of the patch used in Debian to permit the
rsync reuse of the -e option to convey protocol information, for those who
may be applying this patch to their own builds. This has not yet been
updated to be based on the 2.3.4 release and is still based on 2.3.3.
I'll be updating the Debian packaging to the new 2.3.4 release in the
coming months.
--
Russ Allbery (rra@...) <http://www.eyrie.org/~eagle/&gt;

On Tue, Nov 27, 2012 at 6:59 PM, Derek Martin <code@...> wrote:
> All,
>
> Today I released rssh-2.3.4, which fixes an old issue, and a new
> issue:
> Lastly, since the vendors are providing their own packages, and I'm no
> longer set up to build RPMs, I am no longer providing rssh in RPM
> form. Please be sure to update rssh to v2.3.4, either by downloading
> and compiling from the website, or by updating your vendor's packages.
>
> http://www.pizzashack.org/rssh/downloads.shtml
Any chance I can talk you into submitting an update request at
redhat.bugizlla.com? As the author of rssh, I suspect they'll take
your update suggestion a lot more seriously than mine.

Nico Kadel-Garcia <nkadel@...> writes:
> Any chance I can talk you into submitting an update request at
> redhat.bugizlla.com? As the author of rssh, I suspect they'll take
> your update suggestion a lot more seriously than mine.
The security issue was coordinated with the Red Hat security team, so I
suspect it's already on their radar.
--
Russ Allbery (rra@...) <http://www.eyrie.org/~eagle/&gt;